Last week, WellPoint, one of the nation’s largest insurers, settled a HIPAA violation case brought by the Department of Health and Human Services. In a self-reported violation, WellPoint was found to have exposed the personal information of over 612,000 individuals in what WellPoint termed a “lapse in its online security during a routine upgrade of its system.” The “lapse” occurred during a routine online upgrade of WellPoint’s tracking system.
HHS said, in a statement, “This case sends an important message to HIPAA covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to web-based applications or portals that are used to provide access to consumers’ health data using the Internet.” The investigation concluded that WellPoint did not take proper procedural safeguards in ensuring that information could not be accessed during the upgrade. Specifically, HHS concluded that:
- Did not adequately implement policies and procedures for authorizing access to ePHI maintained in its web-based application database consistent with the applicable requirements of the HIPAA Security Rule.
- Did not perform an adequate technical evaluation in response to a software upgrade, an operational change affecting the security of ePHI maintained in its web-based application database;
- Did not adequately implement technology to verify the identity of a person or entity seeking access to ePHI maintained in its web-based application database;
- Impermissibly disclosed the names, dates of birth, addresses, Social Security numbers, telephone numbers and health information, of approximately 612,000 individuals whose ePHI was maintained in the web-based application database
The violation also has resulted in several civil lawsuits brought by individual insureds.
The WellPoint settlement is yet another illustration of the serious nature of ensuring patient data. As we progress aggressively towards online and electronic patient data, caution cannot be disregarded and, indeed, must be paramount. Each provider should have a protocol in place to safeguard patient data. The protocol should satisfy the new HIPAA guidelines and should be revisited every six months as an addition precaution.
For more information about this topic please contact: Richard E. Haskin Partner Ph: (702) 836-9800 Fax: (702) 836-9802 email: firstname.lastname@example.org
Copyright 2013 Gibbs Giden Locher Turner Senet & Wittbrodt LLP